Example 21 with AlgorithmIdentifier
use of com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier in project hedera-sdk-java by hashgraph.
the class Pem method decryptPrivateKey.
private static PrivateKeyInfo decryptPrivateKey(byte[] encodedStruct, String passphrase) throws IOException {
var encryptedPrivateKeyInfo = EncryptedPrivateKeyInfo.getInstance(ASN1Primitive.fromByteArray(encodedStruct));
AlgorithmIdentifier encryptAlg = encryptedPrivateKeyInfo.getEncryptionAlgorithm();
if (!encryptAlg.getAlgorithm().equals(PKCSObjectIdentifiers.id_PBES2)) {
throw new BadKeyException("unsupported PEM key encryption: " + encryptAlg);
}
PBES2Parameters params = PBES2Parameters.getInstance(encryptAlg.getParameters());
KeyDerivationFunc kdf = params.getKeyDerivationFunc();
EncryptionScheme encScheme = params.getEncryptionScheme();
if (!kdf.getAlgorithm().equals(PKCSObjectIdentifiers.id_PBKDF2)) {
throw new BadKeyException("unsupported KDF: " + kdf.getAlgorithm());
}
if (!encScheme.getAlgorithm().equals(NISTObjectIdentifiers.id_aes128_CBC)) {
throw new BadKeyException("unsupported encryption: " + encScheme.getAlgorithm());
}
PBKDF2Params kdfParams = PBKDF2Params.getInstance(kdf.getParameters());
if (!kdfParams.getPrf().getAlgorithm().equals(PKCSObjectIdentifiers.id_hmacWithSHA256)) {
throw new BadKeyException("unsupported PRF: " + kdfParams.getPrf());
}
int keyLength = kdfParams.getKeyLength() != null ? kdfParams.getKeyLength().intValue() : Crypto.CBC_DK_LEN;
KeyParameter derivedKey = Crypto.deriveKeySha256(passphrase, kdfParams.getSalt(), kdfParams.getIterationCount().intValue(), keyLength);
AlgorithmParameters aesParams;
try {
aesParams = AlgorithmParameters.getInstance("AES");
} catch (NoSuchAlgorithmException e) {
throw new RuntimeException(e);
}
aesParams.init(encScheme.getParameters().toASN1Primitive().getEncoded());
Cipher cipher = Crypto.initAesCbc128Decrypt(derivedKey, aesParams);
byte[] decrypted = Crypto.runCipher(cipher, encryptedPrivateKeyInfo.getEncryptedData());
// we need to parse our input data as the cipher may add padding
ASN1InputStream inputStream = new ASN1InputStream(new ByteArrayInputStream(decrypted));
return PrivateKeyInfo.getInstance(inputStream.readObject());
}
Also used :
PBES2Parameters(org.bouncycastle.asn1.pkcs.PBES2Parameters)
EncryptionScheme(org.bouncycastle.asn1.pkcs.EncryptionScheme)
ASN1InputStream(org.bouncycastle.asn1.ASN1InputStream)
KeyParameter(org.bouncycastle.crypto.params.KeyParameter)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
ByteArrayInputStream(java.io.ByteArrayInputStream)
KeyDerivationFunc(org.bouncycastle.asn1.pkcs.KeyDerivationFunc)
PBKDF2Params(org.bouncycastle.asn1.pkcs.PBKDF2Params)
Cipher(javax.crypto.Cipher)
AlgorithmParameters(java.security.AlgorithmParameters)
Example 22 with AlgorithmIdentifier
use of com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier in project hedera-sdk-java by hashgraph.
the class Pem method writeEncryptedPrivateKey.
/*
* For some reason, this generates PEM encodings that we ourselves can import, but OpenSSL
* doesn't like. We decided to punt on generating encrypted PEMs for now but saving
* the code for when we get back to it and/or any demand arises.
*/
@SuppressWarnings("unused")
static void writeEncryptedPrivateKey(PrivateKeyInfo pkInfo, Writer out, String passphrase) throws IOException {
byte[] salt = Crypto.randomBytes(Crypto.SALT_LEN);
KeyParameter derivedKey = Crypto.deriveKeySha256(passphrase, salt, Crypto.ITERATIONS, Crypto.CBC_DK_LEN);
byte[] iv = Crypto.randomBytes(Crypto.IV_LEN);
Cipher cipher = Crypto.initAesCbc128Encrypt(derivedKey, iv);
byte[] encryptedKey = Crypto.runCipher(cipher, pkInfo.getEncoded());
// I wanted to just do this with BC's PKCS8Generator and KcePKCSPBEOutputEncryptorBuilder
// but it tries to init AES instance of `Cipher` with a `PBKDF2Key` and the former complains
// So this is basically a reimplementation of that minus the excess OO
PBES2Parameters parameters = new PBES2Parameters(new KeyDerivationFunc(PKCSObjectIdentifiers.id_PBKDF2, new PBKDF2Params(salt, Crypto.ITERATIONS, Crypto.CBC_DK_LEN, new AlgorithmIdentifier(PKCSObjectIdentifiers.id_hmacWithSHA256))), new EncryptionScheme(NISTObjectIdentifiers.id_aes128_CBC, ASN1Primitive.fromByteArray(cipher.getParameters().getEncoded())));
EncryptedPrivateKeyInfo encryptedPrivateKeyInfo = new EncryptedPrivateKeyInfo(new AlgorithmIdentifier(PKCSObjectIdentifiers.id_PBES2, parameters), encryptedKey);
PemWriter writer = new PemWriter(out);
writer.writeObject(new PemObject(TYPE_ENCRYPTED_PRIVATE_KEY, encryptedPrivateKeyInfo.getEncoded()));
writer.flush();
}
Also used :
PBES2Parameters(org.bouncycastle.asn1.pkcs.PBES2Parameters)
PemObject(org.bouncycastle.util.io.pem.PemObject)
EncryptionScheme(org.bouncycastle.asn1.pkcs.EncryptionScheme)
PemWriter(org.bouncycastle.util.io.pem.PemWriter)
KeyParameter(org.bouncycastle.crypto.params.KeyParameter)
KeyDerivationFunc(org.bouncycastle.asn1.pkcs.KeyDerivationFunc)
PBKDF2Params(org.bouncycastle.asn1.pkcs.PBKDF2Params)
EncryptedPrivateKeyInfo(org.bouncycastle.asn1.pkcs.EncryptedPrivateKeyInfo)
Cipher(javax.crypto.Cipher)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
Example 23 with AlgorithmIdentifier
use of com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier in project apksig by venshine.
the class V1SchemeSigner method generateSignatureBlock.
/**
* Generates the CMS PKCS #7 signature block corresponding to the provided signature file and
* signing configuration.
*/
private static byte[] generateSignatureBlock(SignerConfig signerConfig, byte[] signatureFileBytes) throws NoSuchAlgorithmException, InvalidKeyException, CertificateException, SignatureException {
// Obtain relevant bits of signing configuration
List<X509Certificate> signerCerts = signerConfig.certificates;
X509Certificate signingCert = signerCerts.get(0);
PublicKey publicKey = signingCert.getPublicKey();
DigestAlgorithm digestAlgorithm = signerConfig.signatureDigestAlgorithm;
Pair<String, AlgorithmIdentifier> signatureAlgs = getSignerInfoSignatureAlgorithm(publicKey, digestAlgorithm, signerConfig.deterministicDsaSigning);
String jcaSignatureAlgorithm = signatureAlgs.getFirst();
// Generate the cryptographic signature of the signature file
byte[] signatureBytes;
try {
Signature signature = Signature.getInstance(jcaSignatureAlgorithm);
signature.initSign(signerConfig.privateKey);
signature.update(signatureFileBytes);
signatureBytes = signature.sign();
} catch (InvalidKeyException e) {
throw new InvalidKeyException("Failed to sign using " + jcaSignatureAlgorithm, e);
} catch (SignatureException e) {
throw new SignatureException("Failed to sign using " + jcaSignatureAlgorithm, e);
}
// Verify the signature against the public key in the signing certificate
try {
Signature signature = Signature.getInstance(jcaSignatureAlgorithm);
signature.initVerify(publicKey);
signature.update(signatureFileBytes);
if (!signature.verify(signatureBytes)) {
throw new SignatureException("Signature did not verify");
}
} catch (InvalidKeyException e) {
throw new InvalidKeyException("Failed to verify generated " + jcaSignatureAlgorithm + " signature using" + " public key from certificate", e);
} catch (SignatureException e) {
throw new SignatureException("Failed to verify generated " + jcaSignatureAlgorithm + " signature using" + " public key from certificate", e);
}
AlgorithmIdentifier digestAlgorithmId = getSignerInfoDigestAlgorithmOid(digestAlgorithm);
AlgorithmIdentifier signatureAlgorithmId = signatureAlgs.getSecond();
try {
return ApkSigningBlockUtils.generatePkcs7DerEncodedMessage(signatureBytes, null, signerCerts, digestAlgorithmId, signatureAlgorithmId);
} catch (Asn1EncodingException | CertificateEncodingException ex) {
throw new SignatureException("Failed to encode signature block");
}
}
Also used :
Asn1EncodingException(com.android.apksig.internal.asn1.Asn1EncodingException)
PublicKey(java.security.PublicKey)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
SignatureException(java.security.SignatureException)
InvalidKeyException(java.security.InvalidKeyException)
X509Certificate(java.security.cert.X509Certificate)
AlgorithmIdentifier(com.android.apksig.internal.pkcs7.AlgorithmIdentifier)
Signature(java.security.Signature)
Example 24 with AlgorithmIdentifier
use of com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier in project kafka by apache.
the class TestSslUtils method generateCertificate.
/**
* Create a self-signed X.509 Certificate.
* From http://bfo.com/blog/2011/03/08/odds_and_ends_creating_a_new_x_509_certificate.html.
*
* @param dn the X.509 Distinguished Name, eg "CN=Test, L=London, C=GB"
* @param pair the KeyPair
* @param days how many days from now the Certificate is valid for
* @param algorithm the signing algorithm, eg "SHA1withRSA"
* @return the self-signed certificate
* @throws CertificateException thrown if a security error or an IO error occurred.
*/
public static X509Certificate generateCertificate(String dn, KeyPair pair, int days, String algorithm) throws CertificateException {
try {
Security.addProvider(new BouncyCastleProvider());
AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find(algorithm);
AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
AsymmetricKeyParameter privateKeyAsymKeyParam = PrivateKeyFactory.createKey(pair.getPrivate().getEncoded());
SubjectPublicKeyInfo subPubKeyInfo = SubjectPublicKeyInfo.getInstance(pair.getPublic().getEncoded());
ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(privateKeyAsymKeyParam);
X500Name name = new X500Name(dn);
Date from = new Date();
Date to = new Date(from.getTime() + days * 86400000L);
BigInteger sn = new BigInteger(64, new SecureRandom());
X509v1CertificateBuilder v1CertGen = new X509v1CertificateBuilder(name, sn, from, to, name, subPubKeyInfo);
X509CertificateHolder certificateHolder = v1CertGen.build(sigGen);
return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certificateHolder);
} catch (CertificateException ce) {
throw ce;
} catch (Exception e) {
throw new CertificateException(e);
}
}
Also used :
ContentSigner(org.bouncycastle.operator.ContentSigner)
SecureRandom(java.security.SecureRandom)
CertificateException(java.security.cert.CertificateException)
X500Name(org.bouncycastle.asn1.x500.X500Name)
DefaultDigestAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder)
SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)
Date(java.util.Date)
GeneralSecurityException(java.security.GeneralSecurityException)
IOException(java.io.IOException)
CertificateException(java.security.cert.CertificateException)
EOFException(java.io.EOFException)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier)
DefaultSignatureAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder)
BcRSAContentSignerBuilder(org.bouncycastle.operator.bc.BcRSAContentSignerBuilder)
AsymmetricKeyParameter(org.bouncycastle.crypto.params.AsymmetricKeyParameter)
JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)
X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder)
BigInteger(java.math.BigInteger)
X509v1CertificateBuilder(org.bouncycastle.cert.X509v1CertificateBuilder)
BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)
Example 25 with AlgorithmIdentifier
use of com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier in project XobotOS by xamarin.
the class X509CertSelector method match.
/**
* Returns whether the specified certificate matches all the criteria
* collected in this instance.
*
* @param certificate
* the certificate to check.
* @return {@code true} if the certificate matches all the criteria,
* otherwise {@code false}.
*/
public boolean match(Certificate certificate) {
if (!(certificate instanceof X509Certificate)) {
return false;
}
X509Certificate cert = (X509Certificate) certificate;
if ((certificateEquals != null) && !certificateEquals.equals(cert)) {
return false;
}
if ((serialNumber != null) && !serialNumber.equals(cert.getSerialNumber())) {
return false;
}
if ((issuer != null) && !issuer.equals(cert.getIssuerX500Principal())) {
return false;
}
if ((subject != null) && !subject.equals(cert.getSubjectX500Principal())) {
return false;
}
if ((subjectKeyIdentifier != null) && !Arrays.equals(subjectKeyIdentifier, // are taken from rfc 3280 (http://www.ietf.org/rfc/rfc3280.txt)
getExtensionValue(cert, "2.5.29.14"))) {
return false;
}
if ((authorityKeyIdentifier != null) && !Arrays.equals(authorityKeyIdentifier, getExtensionValue(cert, "2.5.29.35"))) {
return false;
}
if (certificateValid != null) {
try {
cert.checkValidity(certificateValid);
} catch (CertificateExpiredException e) {
return false;
} catch (CertificateNotYetValidException e) {
return false;
}
}
if (privateKeyValid != null) {
try {
byte[] bytes = getExtensionValue(cert, "2.5.29.16");
if (bytes == null) {
return false;
}
PrivateKeyUsagePeriod pkup = (PrivateKeyUsagePeriod) PrivateKeyUsagePeriod.ASN1.decode(bytes);
Date notBefore = pkup.getNotBefore();
Date notAfter = pkup.getNotAfter();
if ((notBefore == null) && (notAfter == null)) {
return false;
}
if ((notBefore != null) && notBefore.compareTo(privateKeyValid) > 0) {
return false;
}
if ((notAfter != null) && notAfter.compareTo(privateKeyValid) < 0) {
return false;
}
} catch (IOException e) {
return false;
}
}
if (subjectPublicKeyAlgID != null) {
try {
byte[] encoding = cert.getPublicKey().getEncoded();
AlgorithmIdentifier ai = ((SubjectPublicKeyInfo) SubjectPublicKeyInfo.ASN1.decode(encoding)).getAlgorithmIdentifier();
if (!subjectPublicKeyAlgID.equals(ai.getAlgorithm())) {
return false;
}
} catch (IOException e) {
e.printStackTrace();
return false;
}
}
if (subjectPublicKey != null) {
if (!Arrays.equals(subjectPublicKey, cert.getPublicKey().getEncoded())) {
return false;
}
}
if (keyUsage != null) {
boolean[] ku = cert.getKeyUsage();
if (ku != null) {
int i = 0;
int min_length = (ku.length < keyUsage.length) ? ku.length : keyUsage.length;
for (; i < min_length; i++) {
if (keyUsage[i] && !ku[i]) {
// but certificate does not.
return false;
}
}
for (; i < keyUsage.length; i++) {
if (keyUsage[i]) {
return false;
}
}
}
}
if (extendedKeyUsage != null) {
try {
List keyUsage = cert.getExtendedKeyUsage();
if (keyUsage != null) {
if (!keyUsage.containsAll(extendedKeyUsage)) {
return false;
}
}
} catch (CertificateParsingException e) {
return false;
}
}
if (pathLen != -1) {
int p_len = cert.getBasicConstraints();
if ((pathLen < 0) && (p_len >= 0)) {
// need end-entity but got CA
return false;
}
if ((pathLen > 0) && (pathLen > p_len)) {
// allowed _pathLen is small
return false;
}
}
if (subjectAltNames != null) {
PASSED: try {
byte[] bytes = getExtensionValue(cert, "2.5.29.17");
if (bytes == null) {
return false;
}
List<GeneralName> sans = ((GeneralNames) GeneralNames.ASN1.decode(bytes)).getNames();
if ((sans == null) || (sans.size() == 0)) {
return false;
}
boolean[][] map = new boolean[9][];
// initialize the check map
for (int i = 0; i < 9; i++) {
map[i] = (subjectAltNames[i] == null) ? EmptyArray.BOOLEAN : new boolean[subjectAltNames[i].size()];
}
for (GeneralName name : sans) {
int tag = name.getTag();
for (int i = 0; i < map[tag].length; i++) {
if (subjectAltNames[tag].get(i).equals(name)) {
if (!matchAllNames) {
break PASSED;
}
map[tag][i] = true;
}
}
}
if (!matchAllNames) {
// there was not any match
return false;
}
// else check the map
for (int tag = 0; tag < 9; tag++) {
for (int name = 0; name < map[tag].length; name++) {
if (!map[tag][name]) {
return false;
}
}
}
} catch (IOException e) {
e.printStackTrace();
return false;
}
}
if (nameConstraints != null) {
if (!nameConstraints.isAcceptable(cert)) {
return false;
}
}
if (policies != null) {
byte[] bytes = getExtensionValue(cert, "2.5.29.32");
if (bytes == null) {
return false;
}
if (policies.size() == 0) {
// one policy in it.
return true;
}
PASSED: try {
List<PolicyInformation> policyInformations = ((CertificatePolicies) CertificatePolicies.ASN1.decode(bytes)).getPolicyInformations();
for (PolicyInformation policyInformation : policyInformations) {
if (policies.contains(policyInformation.getPolicyIdentifier())) {
break PASSED;
}
}
return false;
} catch (IOException e) {
// the extension is invalid
return false;
}
}
if (pathToNames != null) {
byte[] bytes = getExtensionValue(cert, "2.5.29.30");
if (bytes != null) {
NameConstraints nameConstraints;
try {
nameConstraints = (NameConstraints) NameConstraints.ASN1.decode(bytes);
} catch (IOException e) {
// the extension is invalid;
return false;
}
if (!nameConstraints.isAcceptable(pathToNames)) {
return false;
}
}
}
return true;
}
Also used :
NameConstraints(org.apache.harmony.security.x509.NameConstraints)
PolicyInformation(org.apache.harmony.security.x509.PolicyInformation)
IOException(java.io.IOException)
SubjectPublicKeyInfo(org.apache.harmony.security.x509.SubjectPublicKeyInfo)
Date(java.util.Date)
AlgorithmIdentifier(org.apache.harmony.security.x509.AlgorithmIdentifier)
ArrayList(java.util.ArrayList)
List(java.util.List)
GeneralName(org.apache.harmony.security.x509.GeneralName)
PrivateKeyUsagePeriod(org.apache.harmony.security.x509.PrivateKeyUsagePeriod)
Aggregations
AlgorithmIdentifier (org.bouncycastle.asn1.x509.AlgorithmIdentifier)249
IOException (java.io.IOException)157
AlgorithmIdentifier (com.github.zhenwei.core.asn1.x509.AlgorithmIdentifier)140
SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)79
ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)72
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)65
BigInteger (java.math.BigInteger)62
X500Name (org.bouncycastle.asn1.x500.X500Name)52
ASN1ObjectIdentifier (com.github.zhenwei.core.asn1.ASN1ObjectIdentifier)47
Date (java.util.Date)47
ASN1EncodableVector (com.github.zhenwei.core.asn1.ASN1EncodableVector)45
X509Certificate (java.security.cert.X509Certificate)45
ContentSigner (org.bouncycastle.operator.ContentSigner)40
DEROctetString (com.github.zhenwei.core.asn1.DEROctetString)39
OutputStream (java.io.OutputStream)39
DERSequence (com.github.zhenwei.core.asn1.DERSequence)38
GeneralSecurityException (java.security.GeneralSecurityException)37
X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)35
Cipher (javax.crypto.Cipher)33
PrivateKeyInfo (org.bouncycastle.asn1.pkcs.PrivateKeyInfo)33
